[Python-modules-commits] [python-django] 01/07: Import python-django_1.8.15.orig.tar.gz
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Sep 27 12:12:58 UTC 2016
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/jessie-backports
in repository python-django.
commit ef4afdabb486be460f94a71fc40515c3590db64b
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Tue Sep 27 13:43:32 2016 +0200
Import python-django_1.8.15.orig.tar.gz
---
Django.egg-info/PKG-INFO | 2 +-
Django.egg-info/SOURCES.txt | 1 +
PKG-INFO | 2 +-
django/__init__.py | 2 +-
django/http/cookie.py | 29 ++++++------
.../static/docicons-behindscenes.png | Bin 49 -> 1065 bytes
.../djangodocs-epub/static/docicons-note.png | Bin 41 -> 559 bytes
.../djangodocs-epub/static/docicons-philosophy.png | Bin 47 -> 791 bytes
.../djangodocs-epub/static/docicons-warning.png | Bin 44 -> 782 bytes
docs/howto/deployment/wsgi/uwsgi.txt | 2 +-
docs/releases/1.8.15.txt | 18 +++++++
docs/releases/1.8.txt | 10 ++--
docs/releases/index.txt | 1 +
docs/releases/security.txt | 13 ++++++
tests/gis_tests/test_geoip.py | 8 ++--
tests/httpwrappers/tests.py | 52 ++++++++++++++++++++-
tests/middleware/test_security.py | 2 +-
tests/requests/tests.py | 5 +-
tests/template_tests/syntax_tests/test_numpy.py | 4 +-
19 files changed, 120 insertions(+), 31 deletions(-)
diff --git a/Django.egg-info/PKG-INFO b/Django.egg-info/PKG-INFO
index 73bedcf..28304ac 100644
--- a/Django.egg-info/PKG-INFO
+++ b/Django.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.14
+Version: 1.8.15
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/Django.egg-info/SOURCES.txt b/Django.egg-info/SOURCES.txt
index c152a2e..2eda666 100644
--- a/Django.egg-info/SOURCES.txt
+++ b/Django.egg-info/SOURCES.txt
@@ -3406,6 +3406,7 @@ docs/releases/1.8.11.txt
docs/releases/1.8.12.txt
docs/releases/1.8.13.txt
docs/releases/1.8.14.txt
+docs/releases/1.8.15.txt
docs/releases/1.8.2.txt
docs/releases/1.8.3.txt
docs/releases/1.8.4.txt
diff --git a/PKG-INFO b/PKG-INFO
index 73bedcf..28304ac 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.14
+Version: 1.8.15
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/django/__init__.py b/django/__init__.py
index f92ff55..0ceee47 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (1, 8, 14, 'final', 0)
+VERSION = (1, 8, 15, 'final', 0)
__version__ = get_version(VERSION)
diff --git a/django/http/cookie.py b/django/http/cookie.py
index a3dbd2a..decb6db 100644
--- a/django/http/cookie.py
+++ b/django/http/cookie.py
@@ -89,18 +89,21 @@ else:
def parse_cookie(cookie):
- if cookie == '':
- return {}
- if not isinstance(cookie, http_cookies.BaseCookie):
- try:
- c = SimpleCookie()
- c.load(cookie)
- except http_cookies.CookieError:
- # Invalid cookie
- return {}
- else:
- c = cookie
+ """
+ Return a dictionary parsed from a `Cookie:` header string.
+ """
cookiedict = {}
- for key in c.keys():
- cookiedict[key] = c.get(key).value
+ if six.PY2:
+ cookie = force_str(cookie)
+ for chunk in cookie.split(str(';')):
+ if str('=') in chunk:
+ key, val = chunk.split(str('='), 1)
+ else:
+ # Assume an empty name per
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=169091
+ key, val = str(''), chunk
+ key, val = key.strip(), val.strip()
+ if key or val:
+ # unquote using Python's algorithm.
+ cookiedict[key] = http_cookies._unquote(val)
return cookiedict
diff --git a/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png b/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png
deleted file mode 120000
index 3f1cd17..0000000
--- a/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png
+++ /dev/null
@@ -1 +0,0 @@
-../../djangodocs/static/docicons-behindscenes.png
\ No newline at end of file
diff --git a/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png b/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png
new file mode 100644
index 0000000..4371103
Binary files /dev/null and b/docs/_theme/djangodocs-epub/static/docicons-behindscenes.png differ
diff --git a/docs/_theme/djangodocs-epub/static/docicons-note.png b/docs/_theme/djangodocs-epub/static/docicons-note.png
deleted file mode 120000
index b8193a3..0000000
--- a/docs/_theme/djangodocs-epub/static/docicons-note.png
+++ /dev/null
@@ -1 +0,0 @@
-../../djangodocs/static/docicons-note.png
\ No newline at end of file
diff --git a/docs/_theme/djangodocs-epub/static/docicons-note.png b/docs/_theme/djangodocs-epub/static/docicons-note.png
new file mode 100644
index 0000000..b849019
Binary files /dev/null and b/docs/_theme/djangodocs-epub/static/docicons-note.png differ
diff --git a/docs/_theme/djangodocs-epub/static/docicons-philosophy.png b/docs/_theme/djangodocs-epub/static/docicons-philosophy.png
deleted file mode 120000
index 26d9a0c..0000000
--- a/docs/_theme/djangodocs-epub/static/docicons-philosophy.png
+++ /dev/null
@@ -1 +0,0 @@
-../../djangodocs/static/docicons-philosophy.png
\ No newline at end of file
diff --git a/docs/_theme/djangodocs-epub/static/docicons-philosophy.png b/docs/_theme/djangodocs-epub/static/docicons-philosophy.png
new file mode 100644
index 0000000..a864f58
Binary files /dev/null and b/docs/_theme/djangodocs-epub/static/docicons-philosophy.png differ
diff --git a/docs/_theme/djangodocs-epub/static/docicons-warning.png b/docs/_theme/djangodocs-epub/static/docicons-warning.png
deleted file mode 120000
index 455195f..0000000
--- a/docs/_theme/djangodocs-epub/static/docicons-warning.png
+++ /dev/null
@@ -1 +0,0 @@
-../../djangodocs/static/docicons-warning.png
\ No newline at end of file
diff --git a/docs/_theme/djangodocs-epub/static/docicons-warning.png b/docs/_theme/djangodocs-epub/static/docicons-warning.png
new file mode 100644
index 0000000..031b3e7
Binary files /dev/null and b/docs/_theme/djangodocs-epub/static/docicons-warning.png differ
diff --git a/docs/howto/deployment/wsgi/uwsgi.txt b/docs/howto/deployment/wsgi/uwsgi.txt
index 932d168..f0a8f10 100644
--- a/docs/howto/deployment/wsgi/uwsgi.txt
+++ b/docs/howto/deployment/wsgi/uwsgi.txt
@@ -114,7 +114,7 @@ Example ini configuration file usage::
that contain non-ASCII characters, make sure uWSGI is configured to accept
non-ASCII file names by adding this to your ``uwsgi.ini``::
- env = LANG='en_US.UTF-8'
+ env = LANG=en_US.UTF-8
See the :ref:`unicode-files` section of the Unicode reference guide for
details.
diff --git a/docs/releases/1.8.15.txt b/docs/releases/1.8.15.txt
new file mode 100644
index 0000000..e977cff
--- /dev/null
+++ b/docs/releases/1.8.15.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.8.15 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.8.15 fixes a security issue in 1.8.14.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index 7aba611..e00c56b 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -1480,9 +1480,13 @@ It's a legacy option that should no longer be necessary.
will be removed in Django 1.10. Historically, it was used to handle fields where
type conversion was needed when loading from the database, but it was not used
in ``.values()`` calls or in aggregates. It has been replaced with
-:meth:`~django.db.models.Field.from_db_value`. Note that the new approach does
-not call the :meth:`~django.db.models.Field.to_python` method on assignment
-as was the case with ``SubfieldBase``.
+:meth:`~django.db.models.Field.from_db_value`.
+
+The new approach doesn't call the :meth:`~django.db.models.Field.to_python`
+method on assignment as was the case with ``SubfieldBase``. If you need that
+behavior, reimplement the ``Creator`` class `from Django's source code
+<https://github.com/django/django/blob/stable/1.8.x/django/db/models/fields/subclassing.py#L31-L44>`_
+in your project.
``django.utils.checksums``
~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 070d815..b80ce58 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.8.15
1.8.14
1.8.13
1.8.12
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 5d2793b..c7ba75f 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -730,3 +730,16 @@ Versions affected
* Django 1.9 `(patch) <https://github.com/django/django/commit/af7d09b0c5c6ab68e629fd9baf736f9dd203b18e>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/f4e6e02f7713a6924d16540be279909ff4091eb6>`__
+
+July 18, 2016 - CVE-2016-6186
+-----------------------------
+
+`CVE-2016-6186 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186&cid=2>`_:
+XSS in admin's add/change related popup.
+`Full description <https://www.djangoproject.com/weblog/2016/jul/18/security-releases/>`__
+
+Versions affected
+~~~~~~~~~~~~~~~~~
+
+* Django 1.9 `(patch) <https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d>`__
diff --git a/tests/gis_tests/test_geoip.py b/tests/gis_tests/test_geoip.py
index 111620c..3d7a105 100644
--- a/tests/gis_tests/test_geoip.py
+++ b/tests/gis_tests/test_geoip.py
@@ -107,14 +107,14 @@ class GeoIPTest(unittest.TestCase):
lat_lon = g.lat_lon(query)
lat_lon = (lat_lon[1], lat_lon[0])
for tup in (geom.tuple, g.coords(query), g.lon_lat(query), lat_lon):
- self.assertAlmostEqual(lon, tup[0], 4)
- self.assertAlmostEqual(lat, tup[1], 4)
+ self.assertAlmostEqual(lon, tup[0], 0)
+ self.assertAlmostEqual(lat, tup[1], 0)
def test05_unicode_response(self):
"Testing that GeoIP strings are properly encoded, see #16553."
g = GeoIP()
- d = g.city("duesseldorf.de")
- self.assertEqual('Ratingen', d['city'])
+ d = g.city("hs-duesseldorf.de")
+ self.assertEqual('Düsseldorf', d['city'])
d = g.country('200.26.205.1')
# Some databases have only unaccented countries
self.assertIn(d['country_name'], ('Curaçao', 'Curacao'))
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
index dbe85bf..753a7b2 100644
--- a/tests/httpwrappers/tests.py
+++ b/tests/httpwrappers/tests.py
@@ -21,7 +21,7 @@ from django.http import (
from django.test import TestCase
from django.utils import six
from django.utils._os import upath
-from django.utils.encoding import force_text, smart_str
+from django.utils.encoding import force_str, force_text, smart_str
from django.utils.functional import lazy
lazystr = lazy(force_text, six.text_type)
@@ -643,6 +643,8 @@ class CookieTests(unittest.TestCase):
c2 = SimpleCookie()
c2.load(c.output()[12:])
self.assertEqual(c['test'].value, c2['test'].value)
+ c3 = parse_cookie(c.output()[12:])
+ self.assertEqual(c['test'].value, c3['test'])
def test_decode_2(self):
"""
@@ -653,6 +655,8 @@ class CookieTests(unittest.TestCase):
c2 = SimpleCookie()
c2.load(c.output()[12:])
self.assertEqual(c['test'].value, c2['test'].value)
+ c3 = parse_cookie(c.output()[12:])
+ self.assertEqual(c['test'].value, c3['test'])
def test_nonstandard_keys(self):
"""
@@ -666,6 +670,52 @@ class CookieTests(unittest.TestCase):
"""
self.assertIn('good_cookie', parse_cookie('a:=b; a:=c; good_cookie=yes').keys())
+ def test_python_cookies(self):
+ """
+ Test cases copied from Python's Lib/test/test_http_cookies.py
+ """
+ self.assertEqual(parse_cookie('chips=ahoy; vienna=finger'), {'chips': 'ahoy', 'vienna': 'finger'})
+ # Here parse_cookie() differs from Python's cookie parsing in that it
+ # treats all semicolons as delimiters, even within quotes.
+ self.assertEqual(
+ parse_cookie('keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'),
+ {'keebler': '"E=mc2', 'L': '\\"Loves\\"', 'fudge': '\\012', '': '"'}
+ )
+ # Illegal cookies that have an '=' char in an unquoted value.
+ self.assertEqual(parse_cookie('keebler=E=mc2'), {'keebler': 'E=mc2'})
+ # Cookies with ':' character in their name.
+ self.assertEqual(parse_cookie('key:term=value:term'), {'key:term': 'value:term'})
+ # Cookies with '[' and ']'.
+ self.assertEqual(parse_cookie('a=b; c=[; d=r; f=h'), {'a': 'b', 'c': '[', 'd': 'r', 'f': 'h'})
+
+ def test_cookie_edgecases(self):
+ # Cookies that RFC6265 allows.
+ self.assertEqual(parse_cookie('a=b; Domain=example.com'), {'a': 'b', 'Domain': 'example.com'})
+ # parse_cookie() has historically kept only the last cookie with the
+ # same name.
+ self.assertEqual(parse_cookie('a=b; h=i; a=c'), {'a': 'c', 'h': 'i'})
+
+ def test_invalid_cookies(self):
+ """
+ Cookie strings that go against RFC6265 but browsers will send if set
+ via document.cookie.
+ """
+ # Chunks without an equals sign appear as unnamed values per
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=169091
+ self.assertIn('django_language', parse_cookie('abc=def; unnamed; django_language=en').keys())
+ # Even a double quote may be an unamed value.
+ self.assertEqual(parse_cookie('a=b; "; c=d'), {'a': 'b', '': '"', 'c': 'd'})
+ # Spaces in names and values, and an equals sign in values.
+ self.assertEqual(parse_cookie('a b c=d e = f; gh=i'), {'a b c': 'd e = f', 'gh': 'i'})
+ # More characters the spec forbids.
+ self.assertEqual(parse_cookie('a b,c<>@:/[]?{}=d " =e,f g'), {'a b,c<>@:/[]?{}': 'd " =e,f g'})
+ # Unicode characters. The spec only allows ASCII.
+ self.assertEqual(parse_cookie('saint=André Bessette'), {'saint': force_str('André Bessette')})
+ # Browsers don't send extra whitespace or semicolons in Cookie headers,
+ # but parse_cookie() should parse whitespace the same way
+ # document.cookie parses whitespace.
+ self.assertEqual(parse_cookie(' = b ; ; = ; c = ; '), {'': 'b', 'c': ''})
+
def test_httponly_after_load(self):
"""
Test that we can use httponly attribute on cookies that we load
diff --git a/tests/middleware/test_security.py b/tests/middleware/test_security.py
index 7c0d504..b134083 100644
--- a/tests/middleware/test_security.py
+++ b/tests/middleware/test_security.py
@@ -110,7 +110,7 @@ class SecurityMiddlewareTest(TestCase):
"""
self.assertEqual(self.process_response()["x-content-type-options"], "nosniff")
- @override_settings(SECURE_CONTENT_TYPE_NO_SNIFF=True)
+ @override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_already_present(self):
"""
The middleware will not override an "x-content-type-options" header
diff --git a/tests/requests/tests.py b/tests/requests/tests.py
index 75118bb..f4a8aea 100644
--- a/tests/requests/tests.py
+++ b/tests/requests/tests.py
@@ -10,7 +10,7 @@ from django.core.exceptions import SuspiciousOperation
from django.core.handlers.wsgi import LimitedStream, WSGIRequest
from django.http import (
HttpRequest, HttpResponse, RawPostDataException, UnreadablePostError,
- build_request_repr, parse_cookie,
+ build_request_repr,
)
from django.test import RequestFactory, SimpleTestCase, override_settings
from django.test.client import FakePayload
@@ -161,9 +161,6 @@ class RequestsTests(SimpleTestCase):
request = WSGIRequest({'PATH_INFO': wsgi_str("/سلام/"), 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')})
self.assertEqual(request.path, "/سلام/")
- def test_parse_cookie(self):
- self.assertEqual(parse_cookie('invalid at key=true'), {})
-
def test_httprequest_location(self):
request = HttpRequest()
self.assertEqual(request.build_absolute_uri(location="https://www.example.com/asdf"),
diff --git a/tests/template_tests/syntax_tests/test_numpy.py b/tests/template_tests/syntax_tests/test_numpy.py
index 16b4d74..7a6caf6 100644
--- a/tests/template_tests/syntax_tests/test_numpy.py
+++ b/tests/template_tests/syntax_tests/test_numpy.py
@@ -10,6 +10,8 @@ try:
VisibleDeprecationWarning = numpy.VisibleDeprecationWarning
except ImportError:
numpy = False
+except AttributeError: # numpy < 1.9.0, e.g. 1.8.2 in Debian 8
+ VisibleDeprecationWarning = DeprecationWarning
@skipIf(numpy is False, "Numpy must be installed to run these tests.")
@@ -20,7 +22,7 @@ class NumpyTests(SimpleTestCase):
"ignore",
"Using a non-integer number instead of an "
"integer will result in an error in the future",
- numpy.VisibleDeprecationWarning
+ VisibleDeprecationWarning
)
@setup({'numpy-array-index01': '{{ var.1 }}'})
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list